Disabling SSLv3 but still supporting SSLv2Hello in Apache

Solution 1:

Apparently mod_ssl has changed in the last year or so (I haven't found the exact commit to the source, but found the "problem"). The source now does this:

If SSLProtocol only includes only one Protocol:
    Handshake = That Protocol's Handshake Only
Else
    Handshake = SSLv2 Handshake

There's no override for this setting. The only thing you could do is edit the source, recompile your own version. I've created a diff to force SSLv2 Handshake compatibility if you want to compile your own.

Solution 2:

So it turns out this was a non-issue all along. Apache will accept SSLv2 handshake with either of the configurations I posted above. I was misled by a handshake error into thinking this was the issue; it was really just a configuration issue where the server wasn't trusting the client's CA.